{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任的出現將網絡防禦範圍從廣泛的網絡邊界轉移到單個或小組資源,同時它也代表新一代的網絡安全防護理念,打破默認的“信任”,秉持“持續驗證,永不信任”原則,即默認不信任網絡內外的任何人、設備和系統,基於身份認證和授權,重新構建訪問控制的信任基礎,確保身份可信、設備可信、應用可信和鏈路可信。本文旨在通過零信任技術在國內外的發展路線,幫助您對零信任這一安全理念有更爲全面的瞭解。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“零信任”這一理念最早是在美國提出的,爲什麼最早會在美國?這與美國蓬勃發展的雲計算、大數據技術是息息相關的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着零信任技術體系的完善,加上不斷增長的雲應用\/WEB應用,企業對於這種動態認證和最小化權限管理事中轉事前的安全防禦理念更爲接受。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google這種互聯網巨頭的零信任的實踐證明,更堅定了資本和廠商的投入,如今美國最大安全公司不是防火牆類傳統公司,而是零信任公司。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"反觀國內,移動互聯網業務蓬勃發展,線上支付業務的發展伴隨着移動業務的發展一起向前,線上支付的安全性是阿里巴巴、騰訊這些互聯網巨頭首要考慮的問題,零信任這一安全理念,也是最早在國內互聯網移動支付領域得到實踐和實用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着零信任理念在國內的傳播,這一安全理念也逐步得到更多企事業的認可。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如移動辦公模式在疫情期間得到廣泛應用,單一VPN接入保障在這期間出現了不少的安全事件,如何提高遠程辦公、遠程接入以及業務應用的安全性,讓更多企事業客戶選擇了零信任安全理念,一時間零信任安全廠商如雨後春筍般湧現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文旨在通過零信任技術在國內外的發展路線,幫助您對零信任這一安全理念有更爲全面的瞭解。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"國外零信任SaaS技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美國零信任SaaS化發展迅猛,已經實施零信任SaaS超過30%,還有44%客戶正準備實施。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任SaaS假設所有人不可信,先驗證身份再授權訪問資源;以身份爲中心,經過“預驗證”“預授權”才能獲得訪問系統的單次通道;最小權限原則,每次賦予用戶所能完成工作的最小訪問權限;動態訪問控制,所有訪問通道都是單次的,動態訪問控制策略。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據Forrester報告,零信任SaaS系統商要對零信任有深刻的認識、較強的微隔離能力、廣泛的集成和API能力、識別並監控任何可能帶來風險的身份的能力(不僅是IAM)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如零信任巨頭OKTA採用SaaS訂閱模式,零信任SaaS深入企業業務流程和人員,收入續費率在120%。零信任SaaS要求企業掌握微隔離、數據安全等技術,領軍公司通常對網絡管理、防火牆、雲安全有深刻理解。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着零信任市場的火熱發展,在美國有更多公司加入到零信任商業活動中來,我們把美國的零信任商業公司分爲三類:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一是"},{"type":"text","marks":[{"type":"strong"}],"text":"自用轉外銷型"},{"type":"text","text":"。代表企業如:Google、Akamai、Microsoft等;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"二是"},{"type":"text","marks":[{"type":"strong"}],"text":"收購建能型"},{"type":"text","text":"。代表企業如:Cisco、Symantec、Palo Alto Network、Unisys、Proofpoint等;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"三是"},{"type":"text","marks":[{"type":"strong"}],"text":"技術初創型"},{"type":"text","text":"。代表企業如:Zscaler、Okta、Cloudflare、Illumio、Cyxtera等。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在美國未來市場,很多機構都給予了很高的期望,根據Cybersecurity Insider的調查,15%的受訪IT團隊已經實施零信任SaaS,44%表示準備部署。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據Gartner估計,到2022年,面向生態系統合作伙伴開放的80%新數字業務應用程序將通過零信任網絡(ZTNA)進行訪問。到2023年,60%的企業將淘汰大部分遠程訪問虛擬專用網絡,轉而使用零信任SaaS。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"國內互聯網廠商技術實踐"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着國內互聯網的快速發展,互聯網企業的信息化程度、移動化程度的不斷提高,企業“內部業務系統”逐步成爲組織的核心資產,隨時隨地處理企業內部業務系統變得越來越普遍。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是分佈在全國\/全球的多個分支子公司或辦事處不一定有專線到集團內網,經常通過公網VPN連接,存在安全性不足和訪問效率低等問題。同時,併購公司、合作公司的網絡安全管理機制與集團公司很難保持一致,其訪問集團內網資源時,存在人員身份校驗和設備安全可信等問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於此需求,騰訊從2015年開始自主設計、研發並在內部實踐落地了一套零信任安全管理系統-騰訊ioA,實現了身份安全可信、設備安全可信、應用進程可信、鏈路保護與加速優化等多種功能,能夠滿足無邊界辦公\/運維、混合雲業務、分支安全接入、應用數據安全調用、統一身份與業務集中管控、全球鏈路加速訪問等六大場景的動態訪問控制需求,爲企業達到無邊界的最小權限安全訪問控制,實現安全管理升級提供一站式的零信任安全方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"阿里雲推出辦公零信任解決方案,類似谷歌的BeyondCorp簡化版本。通過Agent終端管控,SPG(Service Provide Gateway)應用接入和IDaaS身份認證齊頭並進,可以提供靈活的組合方案從而滿足企業的要求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該方案可概括爲“可信”、“動態”兩個關鍵字,包含兩個核心的模塊和組件。第一個模塊是遠程終端安全管理,是對遠程終端進行可信的認證以及身份的管理,能實時而非靜態的判斷路網設備的安全性。第二個模塊是雲端的動態決策管控,一方面對所有用戶身份進行統一的高強度安全認證,另一方面,系統可結合各種安全因子來動態分配用戶權限。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"國內安全廠商的技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國內零信任技術的炒作從2015年開始逐步在各個行業市場展開,由於零信任安全技術從國外的雲廠商以及諮詢機構逐步傳遞進來,國內安全廠家都從各自公司的產品優勢出發,優先宣傳解決方案,2019年開始逐步有可參考的案例出現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同時,國內的信息安全市場有別於國外歐美市場,目前國內網絡安全市場需求主要集中於政府部委級和大的行業(如金融、運營商、能源等),這些客戶目前私有云或混合雲已經建成,頭部客戶基於自身業務出發,對零信任這一先進安全理念更爲接受。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國外成功商業模式的誘導和國內頭部客戶的切實需求,共同驅動着國內資本和安全廠商在零信任這一領域加大投入,目前國內廠商技術路線主要由零信任SDP技術路線、零信任IAM技術路線、BeyondCorp技術路線三種類型組成。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"零信任SDP技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲安全聯盟在2014年發佈了《SDP標準規範V1.0》英文版,中文版於2019年發佈。Gartner將SDP定義爲零信任的最佳實踐,加上SDP標準的發佈,讓國內更多廠商在SDP方案上有了更明確的方向,每家廠商根據自已技術積累的不同,在SDP方案上形成了不同的特色。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啓明星辰eTrust SDP安全理念是以身份爲中心,構建網絡隱身、可信接入、動態訪控、簡易運維的零信任安全架構。其eTrust客戶端、eTrust網關、eTrust控制器、ASCG等組件,幫助用戶實現網絡隱身、持續可信接入、動態訪問控制、最小權限管理等零信任安全能力,爲用戶遠程接入、應用訪問、數據保護提供一體化的零信任安全方案。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"零信任IAM技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAM(Identity and Access Management 身份與訪問管理)是網絡安全領域中的一個細分方向。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從效果上來看,IAM產品可以定義和管理用戶的角色和訪問權限,即決定了誰可以訪問,如何進行訪問,訪問後可以執行哪些操作等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAM解決方案也包含了4A特性:賬號、認證、授權、審計。這些特性,在零信任安全中都具備且爲關鍵特性,這個特點也導致IAM廠家進行零信任安全架構遷移的成本更低,效率更明顯。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAM細分市場,主要解決用戶的應用訪問和權限控制問題,因此該類零信任技術方案更側重於用戶的應用側和數據側訪問,對於網絡接入和遠程訪問場景下的技術覆蓋度不高。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"BeyondCorp技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"谷歌的BeyongCorp是較早落地的零信任項目。BeyondCorp實現的核心是引入或擴展網絡組件,例如單點登錄,訪問代理,訪問控制引擎,用戶清單,設備清單,安全策略和信任庫。這些組件協同工作,以維護三個指導原則:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"特定的網絡連接不得確定用戶可以訪問哪些服務;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據對用戶和設備的瞭解來授予對服務的訪問權限;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有對服務的訪問都必須經過認證,授權和加密。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過對比國內外零信任的技術路線,我們可以看到國內外零信任各有特色、各呈風采。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當前,在產業數字化升級與業務上雲的發展趨勢下,傳統企業保護邊界逐漸被瓦解,以身份爲中心的進行訪問控制的零信任安全,得到了越來越多行業客戶的認可與肯定,毋庸置疑零信任將成爲網絡安全行業發展的未來趨勢。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"延伸閱讀:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"《"},{"type":"link","attrs":{"href":"https:\/\/www.infoq.cn\/article\/iT3XGhQ8WDjitX3Ed3Am","title":"","type":null},"content":[{"type":"text","text":"零信任不是“銀彈”"}]},{"type":"text","text":"》"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.cn\/article\/9k4PmXl3GLiXh6LOQWMU","title":"","type":null},"content":[{"type":"text","text":"《讀懂零信任:起源、發展與架構》"}]}]}]}
淺析零信任技術在國內外的不同發展路線
{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任的出現將網絡防禦範圍從廣泛的網絡邊界轉移到單個或小組資源,同時它也代表新一代的網絡安全防護理念,打破默認的“信任”,秉持“持續驗證,永不信任”原則,即默認不信任網絡內外的任何人、設備和系統,基於身份認證和授權,重新構建訪問控制的信任基礎,確保身份可信、設備可信、應用可信和鏈路可信。本文旨在通過零信任技術在國內外的發展路線,幫助您對零信任這一安全理念有更爲全面的瞭解。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“零信任”這一理念最早是在美國提出的,爲什麼最早會在美國?這與美國蓬勃發展的雲計算、大數據技術是息息相關的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着零信任技術體系的完善,加上不斷增長的雲應用\/WEB應用,企業對於這種動態認證和最小化權限管理事中轉事前的安全防禦理念更爲接受。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google這種互聯網巨頭的零信任的實踐證明,更堅定了資本和廠商的投入,如今美國最大安全公司不是防火牆類傳統公司,而是零信任公司。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"反觀國內,移動互聯網業務蓬勃發展,線上支付業務的發展伴隨着移動業務的發展一起向前,線上支付的安全性是阿里巴巴、騰訊這些互聯網巨頭首要考慮的問題,零信任這一安全理念,也是最早在國內互聯網移動支付領域得到實踐和實用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着零信任理念在國內的傳播,這一安全理念也逐步得到更多企事業的認可。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如移動辦公模式在疫情期間得到廣泛應用,單一VPN接入保障在這期間出現了不少的安全事件,如何提高遠程辦公、遠程接入以及業務應用的安全性,讓更多企事業客戶選擇了零信任安全理念,一時間零信任安全廠商如雨後春筍般湧現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文旨在通過零信任技術在國內外的發展路線,幫助您對零信任這一安全理念有更爲全面的瞭解。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"國外零信任SaaS技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"美國零信任SaaS化發展迅猛,已經實施零信任SaaS超過30%,還有44%客戶正準備實施。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任SaaS假設所有人不可信,先驗證身份再授權訪問資源;以身份爲中心,經過“預驗證”“預授權”才能獲得訪問系統的單次通道;最小權限原則,每次賦予用戶所能完成工作的最小訪問權限;動態訪問控制,所有訪問通道都是單次的,動態訪問控制策略。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據Forrester報告,零信任SaaS系統商要對零信任有深刻的認識、較強的微隔離能力、廣泛的集成和API能力、識別並監控任何可能帶來風險的身份的能力(不僅是IAM)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如零信任巨頭OKTA採用SaaS訂閱模式,零信任SaaS深入企業業務流程和人員,收入續費率在120%。零信任SaaS要求企業掌握微隔離、數據安全等技術,領軍公司通常對網絡管理、防火牆、雲安全有深刻理解。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着零信任市場的火熱發展,在美國有更多公司加入到零信任商業活動中來,我們把美國的零信任商業公司分爲三類:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一是"},{"type":"text","marks":[{"type":"strong"}],"text":"自用轉外銷型"},{"type":"text","text":"。代表企業如:Google、Akamai、Microsoft等;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"二是"},{"type":"text","marks":[{"type":"strong"}],"text":"收購建能型"},{"type":"text","text":"。代表企業如:Cisco、Symantec、Palo Alto Network、Unisys、Proofpoint等;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"三是"},{"type":"text","marks":[{"type":"strong"}],"text":"技術初創型"},{"type":"text","text":"。代表企業如:Zscaler、Okta、Cloudflare、Illumio、Cyxtera等。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在美國未來市場,很多機構都給予了很高的期望,根據Cybersecurity Insider的調查,15%的受訪IT團隊已經實施零信任SaaS,44%表示準備部署。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據Gartner估計,到2022年,面向生態系統合作伙伴開放的80%新數字業務應用程序將通過零信任網絡(ZTNA)進行訪問。到2023年,60%的企業將淘汰大部分遠程訪問虛擬專用網絡,轉而使用零信任SaaS。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"國內互聯網廠商技術實踐"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着國內互聯網的快速發展,互聯網企業的信息化程度、移動化程度的不斷提高,企業“內部業務系統”逐步成爲組織的核心資產,隨時隨地處理企業內部業務系統變得越來越普遍。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是分佈在全國\/全球的多個分支子公司或辦事處不一定有專線到集團內網,經常通過公網VPN連接,存在安全性不足和訪問效率低等問題。同時,併購公司、合作公司的網絡安全管理機制與集團公司很難保持一致,其訪問集團內網資源時,存在人員身份校驗和設備安全可信等問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於此需求,騰訊從2015年開始自主設計、研發並在內部實踐落地了一套零信任安全管理系統-騰訊ioA,實現了身份安全可信、設備安全可信、應用進程可信、鏈路保護與加速優化等多種功能,能夠滿足無邊界辦公\/運維、混合雲業務、分支安全接入、應用數據安全調用、統一身份與業務集中管控、全球鏈路加速訪問等六大場景的動態訪問控制需求,爲企業達到無邊界的最小權限安全訪問控制,實現安全管理升級提供一站式的零信任安全方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"阿里雲推出辦公零信任解決方案,類似谷歌的BeyondCorp簡化版本。通過Agent終端管控,SPG(Service Provide Gateway)應用接入和IDaaS身份認證齊頭並進,可以提供靈活的組合方案從而滿足企業的要求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該方案可概括爲“可信”、“動態”兩個關鍵字,包含兩個核心的模塊和組件。第一個模塊是遠程終端安全管理,是對遠程終端進行可信的認證以及身份的管理,能實時而非靜態的判斷路網設備的安全性。第二個模塊是雲端的動態決策管控,一方面對所有用戶身份進行統一的高強度安全認證,另一方面,系統可結合各種安全因子來動態分配用戶權限。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"國內安全廠商的技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國內零信任技術的炒作從2015年開始逐步在各個行業市場展開,由於零信任安全技術從國外的雲廠商以及諮詢機構逐步傳遞進來,國內安全廠家都從各自公司的產品優勢出發,優先宣傳解決方案,2019年開始逐步有可參考的案例出現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同時,國內的信息安全市場有別於國外歐美市場,目前國內網絡安全市場需求主要集中於政府部委級和大的行業(如金融、運營商、能源等),這些客戶目前私有云或混合雲已經建成,頭部客戶基於自身業務出發,對零信任這一先進安全理念更爲接受。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"國外成功商業模式的誘導和國內頭部客戶的切實需求,共同驅動着國內資本和安全廠商在零信任這一領域加大投入,目前國內廠商技術路線主要由零信任SDP技術路線、零信任IAM技術路線、BeyondCorp技術路線三種類型組成。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"零信任SDP技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲安全聯盟在2014年發佈了《SDP標準規範V1.0》英文版,中文版於2019年發佈。Gartner將SDP定義爲零信任的最佳實踐,加上SDP標準的發佈,讓國內更多廠商在SDP方案上有了更明確的方向,每家廠商根據自已技術積累的不同,在SDP方案上形成了不同的特色。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啓明星辰eTrust SDP安全理念是以身份爲中心,構建網絡隱身、可信接入、動態訪控、簡易運維的零信任安全架構。其eTrust客戶端、eTrust網關、eTrust控制器、ASCG等組件,幫助用戶實現網絡隱身、持續可信接入、動態訪問控制、最小權限管理等零信任安全能力,爲用戶遠程接入、應用訪問、數據保護提供一體化的零信任安全方案。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"零信任IAM技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAM(Identity and Access Management 身份與訪問管理)是網絡安全領域中的一個細分方向。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從效果上來看,IAM產品可以定義和管理用戶的角色和訪問權限,即決定了誰可以訪問,如何進行訪問,訪問後可以執行哪些操作等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAM解決方案也包含了4A特性:賬號、認證、授權、審計。這些特性,在零信任安全中都具備且爲關鍵特性,這個特點也導致IAM廠家進行零信任安全架構遷移的成本更低,效率更明顯。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAM細分市場,主要解決用戶的應用訪問和權限控制問題,因此該類零信任技術方案更側重於用戶的應用側和數據側訪問,對於網絡接入和遠程訪問場景下的技術覆蓋度不高。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"BeyondCorp技術路線"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"谷歌的BeyongCorp是較早落地的零信任項目。BeyondCorp實現的核心是引入或擴展網絡組件,例如單點登錄,訪問代理,訪問控制引擎,用戶清單,設備清單,安全策略和信任庫。這些組件協同工作,以維護三個指導原則:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"特定的網絡連接不得確定用戶可以訪問哪些服務;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據對用戶和設備的瞭解來授予對服務的訪問權限;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有對服務的訪問都必須經過認證,授權和加密。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過對比國內外零信任的技術路線,我們可以看到國內外零信任各有特色、各呈風采。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當前,在產業數字化升級與業務上雲的發展趨勢下,傳統企業保護邊界逐漸被瓦解,以身份爲中心的進行訪問控制的零信任安全,得到了越來越多行業客戶的認可與肯定,毋庸置疑零信任將成爲網絡安全行業發展的未來趨勢。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"延伸閱讀:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"《"},{"type":"link","attrs":{"href":"https:\/\/www.infoq.cn\/article\/iT3XGhQ8WDjitX3Ed3Am","title":"","type":null},"content":[{"type":"text","text":"零信任不是“銀彈”"}]},{"type":"text","text":"》"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.cn\/article\/9k4PmXl3GLiXh6LOQWMU","title":"","type":null},"content":[{"type":"text","text":"《讀懂零信任:起源、發展與架構》"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章